System and method for kernel rootkit protection in a hypervisor environment

ABSTRACT

A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.

RELATED APPLICATION

This application is a continuation (and claims the benefit of priorityunder 35 U.S.C. § 120) of U.S. application Ser. No. 13/273,002, filedOct. 13, 2011, entitled “SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTIONIN A HYPERVISOR ENVIRONMENT,” Inventors Amit Dang, et al. The disclosureof the prior application is considered part of (and is incorporated inits entirety by reference in) the disclosure of this application.

TECHNICAL FIELD

This disclosure relates in general to the field of computer networksand, more particularly, to a system and a method for kernel rootkitprotection in a hypervisor environment.

BACKGROUND

The field of computer network security has become increasingly importantand complicated in today's society. Computer network environments areconfigured for virtually every enterprise or organization, typicallywith multiple interconnected computers (e.g., end user computers,laptops, servers, printing devices, etc.). Moreover, cloud serviceproviders (and other organizations that run multiple applications andoperating systems) may use hypervisor technology to run variousdifferent guest operating systems concurrently on a host device. Ahypervisor is computer software/hardware platform virtualizationsoftware that allows multiple operating systems to run on a hostcomputer concurrently. Security threats can originate externally andinternally in the hypervisor environment. These threats in thehypervisor environment can present further challenges to ITadministrators.

BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying figures, whereinlike reference numerals represent like parts, in which:

FIG. 1 is a simplified block diagram illustrating components of a systemfor kernel rootkit protection in a hypervisor environment according toan example embodiment; and

FIG. 2 is a simplified flow-chart illustrating example operational stepsthat may be associated with embodiments of the present disclosure.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

A system and method in example embodiments include modules for creatinga soft whitelist having entries corresponding to each guest kernel pageof a guest operating system in a hypervisor environment, wherein eachentry is a duplicate page of the corresponding guest kernel page,generating a page fault when a process attempts to access a guest kernelpage, and redirecting the process to the duplicate page corresponding tothe guest kernel page. If the page fault is a data page fault, themethod includes fixing the page fault, and marking a page table entrycorresponding to the guest kernel page as non-executable and writeable.If the page fault is an instruction page fault, the method includesmarking a page table entry corresponding to the guest kernel page asread-only.

In example embodiments, redirecting the process includes pointing avirtual address of the guest kernel page to a machine page frame numberof the duplicate page corresponding to the guest kernel page. Otherembodiments include marking a page table entry of each guest kernel pageas NOT_PRESENT in a shadow page table of the hypervisor. Otherembodiments may includes setting a lockdown feature bit in thehypervisor during domain creation to enable rootkit protection.

In some embodiments, soft whitelist is created after the guest OS hasloaded kernel components at boot. The soft whitelist may be created bywalking a shadow page table of the hypervisor and mapping a virtualaddress of each guest kernel page to a machine page frame number of thecorresponding duplicate page. In yet other embodiments, if the guest OShas not loaded at least some kernel components, the method includesmapping a virtual base address of each guest kernel page to a machinepage frame number of the corresponding duplicate page and otherfeatures.

Example Embodiments

FIG. 1 is a simplified block diagram illustrating an exampleimplementation of a system 10 for kernel rootkit protection in ahypervisor environment. As used herein, a “hypervisor” is a hardwarevirtualization entity that allows one or more operating systems (OSs),termed guest OSs, to run concurrently on a host device (e.g., computer).Virtualization allows the guest OSs to run unmodified on isolatedvirtual environments (typically referred to as virtual machines, orguests), where the host device's physical characteristics and behaviorsare reproduced. More specifically, a guest can represent an isolated,virtual environment equipped with virtual hardware (processor, memory,disks, network interfaces, etc.). According to the embodimentillustrated in FIG. 1, system 10 comprises a hypervisor 12, whichprovides a virtualization environment to a guest 14. Any number ofguests may be hosted on hypervisor 12 within the broad scope of thepresent disclosure. A single guest is representatively illustrated inFIG. 1 for ease of explanation.

Hypervisor 12 controls and manages a hardware 16 of a host device (notshown) that is allocated for use by guest 14. Guest 14 may run a guestOS 18 on hypervisor 12. Guest OS 18 may support one or more applications20 (referred to herein in the singular as application 20 to refer to oneof the applications). As used herein, the term “application” is used ina broad sense to refer generically to any software file, library module,function, subroutine, binary, instruction set, code block, or othersimilar operating unit that comprises instructions that can beunderstood and processed by a computer with or without assistance (e.g.,compilation, interpretation, etc.).

Hypervisor 12 may manage access of applications 20 to underlyinghardware 16, such as a processor 22 and a machine memory 24. As usedherein, “machine memory” refers to a memory element that is visible tohypervisor 12 as available on the host device. Guest OS 18 may presentto applications 20 a guest virtual memory 26, which accesses a guestphysical memory 28. As used herein, the term “guest virtual memory”refers to a substantially continuous virtual address space that isvisible to applications 20 running inside guest 14. An address spacerefers to a range of discrete addresses, each of which may correspond toa memory location (i.e., address) at which an application (e.g.,application 20) can store data and retrieve data later. As used herein,the term “guest physical memory” refers to the virtual memory that isvisible to guest OS 18.

Guest physical memory 28 may create kernel pages 30 during operation.When guest OS loads its guest kernel into memory, the guest kernel isdivided into pages (e.g., guest kernel pages 30), with some pagescontaining kernel instructions, and other pages containing kernel data.Each page, including each of guest kernel pages 30, is typically ofstandard size (e.g., 4 kB), and is associated with an address (e.g.,guest virtual address). Guest OS 18 maps the virtual address of eachpage to a corresponding “physical” address through page tables. Althoughthe guest memory (e.g., guest virtual memory 26 and guest physicalmemory 28) is virtual, guest OS 18 assumes that guest physical memory 28is real or “physical.” However, the guest physical memory (e.g., guestphysical memory 28) is merely an abstraction utilized by hypervisor 12for maintaining correct mapping to the (real) host physical address(also called machine address).

A page table is a data structure used by guest OS 18 to store a mappingbetween virtual addresses and “physical” addresses. A page tablecontains several page table entries (PTEs), each PTE mapping a virtualaddress to a corresponding “physical” address (e.g., from guest virtualaddress to guest physical address or from guest physical address tomachine address). The PTE includes the “physical” address (e.g., guestphysical address or machine address) and other information relevant to apage in the appropriate memory element (e.g., guest physical memory 28or machine memory 24), such as whether the page is present, the page isread-only or read/write, etc.

Shadow page table 32 can be used by hypervisor 12 to map guest physicalmemory 28 to machine memory 24 for a currently executing process. A“process” is an instance of an application (or a portion thereof), whoseinstructions are being executed. Shadow page table 32 includes pagetable entries (PTEs) 34 corresponding to guest kernel pages 30. Each ofPTEs 34 includes the machine address and other information relevant tothe respective kernel page that is loaded into machine memory 24.According to an example embodiment, PTEs 34 may be marked as NOT_PRESENTin shadow page table 32.

A rootkit protection module 36 in hypervisor 12 can create duplicatepages 38 in hypervisor 12 for corresponding guest kernel pages 30 inguest OS 18. A page fault handler 40 may conditionally allow or denyaccess to or execution of appropriate guest kernel pages 30 when aprocess attempts to access a guest kernel page 30. A domain 0 (DOM0) 42running on hypervisor 12 may have special rights to access physicalhardware 16 as well as interact with other guests running on the system.DOM0 42 may have a lockdown module 44 for controlling certain lockdownfeatures of rootkit protection module 36 in hypervisor 12.

For purposes of illustrating the techniques of system 10, it isimportant to understand the activities and security concerns that may bepresent in a given system such as the system shown in FIG. 1. Thefollowing foundational information may be viewed as a basis from whichthe present disclosure may be properly explained. Such information isoffered earnestly for purposes of explanation only and, accordingly,should not be construed in any way to limit the broad scope of thepresent disclosure and its potential applications.

Typical computing architecture supports four rings (numbered 0 to 3) ofprivilege levels to protect system code and data from beingunintentionally or maliciously overwritten by lower privileged code.Ring 0 is the highest privilege level, while ring 3 is the lowest. OSsmay use different privilege levels for different processes. For example,Windows OS uses two privilege levels (rings 0 and 3) for process anddata security. Code for applications such as Internet Explorer andMicrosoft Word and a number of Windows services (e.g., Service ControlManager, Local System Security Authority, Winlogon, Session Manager, andRPC Server, etc.) run within ring 3.

Kernel-level code runs within ring 0 and is used in device drivers andkernel components such as managers for virtual memory, cache,Input/Output, object, plug and play, a hardware abstraction layer,graphics subsystem, file systems, and network protocol implementations.A kernel connects applications to the hardware of a computing device. Ingeneral, a kernel comprises several components that could vary dependingon the OS. For example, Linux OS may include components such as lowlevel drivers (e.g., architecture specific drivers responsible forcentral processing unit (CPU), memory management unit (MMU) and on-boarddevices' initialization); process scheduler (e.g., component responsiblefor fair CPU time slice allocation to different processes); memorymanager (e.g., component responsible for allocating and sharing memoryto different processes); file system (e.g., components that abstractunderlying file systems so as to present a unified file system interfaceto a user); network interface (e.g., component that provides access andcontrol to different networking devices); device drivers (e.g., highlevel drivers), etc. Applications generally use system function calls(e.g., Win 32 API calls) to communicate with the kernel.

A rootkit alters the flow of a normal execution path (e.g., of a processin an application) to make its stealth implementation successful. Arootkit is software that enables continued privileged access to a devicewhile actively hiding its presence by subverting standard OSfunctionality. Rootkits normally modify the data returned by systemfunction calls to hide their binary files, processes, and registryentries. Depending on where they run and what area in the system theyhook, rootkits can generally be classified in one of two types: usermode rootkits and kernel rootkits. User-mode rootkits are relativelyeasy to detect and repair because they execute with user-modeprivileges. Kernel rootkits, on the other hand, execute with systemprivileges, making them more challenging to detect and repair. Kernelrootkits load (i.e., inject) their code into the kernel address space,typically by installing a kernel-mode device driver. For example, kernelrootkits may be installed by injecting kernel code into a running kernelusing a kernel module, or by writing new code to a piece of unusedkernel memory, or by inserting a kernel module file, etc. Once thedelivery mechanism is in place, kernel rootkits can disrupt the flow ofthe normal execution path of a process.

Kernel rootkits are a significant challenge in desktop security. Kernelrootkits can launch various attacks such as opening system backdoors,stealing private information, disabling security measures, and executingother malware applications. Typically, an attacker installs a kernelrootkit on a computer after first obtaining root-level access, either byexploiting a known vulnerability or by obtaining a password (e.g., bycracking the encryption, through social engineering, etc.). Once akernel rootkit is installed, it allows an attacker to mask the ongoingintrusion and maintain privileged access to the computer bycircumventing normal authentication and authorization mechanisms. Kernelrootkits may be hard to detect because a kernel rootkit may be able tosubvert the software that is intended to find it. Detection methodsinclude using an alternate, trusted operating system; behavioral-basedmethods; signature scanning; difference scanning; and memory dumpanalysis. Removal can be complicated or practically impossible,especially in cases where the kernel rootkit resides in the kernel.

In a hypervisor environment, effects of an attack may be severe. Oneinfected guest could infect all other guests on the host device. Forexample, an attacker can get administrator privileges on hardware byinfecting a guest, and can move from one guest to another over thehypervisor environment. In situations where the hypervisor hosts tens ofhundreds of guests, such a guest-to-guest attack can have catastrophicresults.

Hypervisor environments present an opportunity to provide kernel rootkitprotection without the need for a guest-resident protective software.Guests run on top of the hypervisor in a virtualized host device.Traditional kernel rootkit protection mechanisms can be installed oneach instance of the guest running on the hypervisor; however suchmethods result in significant overhead in terms of memory, run timeperformance and management. Ideally, kernel rootkit protectionmechanisms would sit outside the kernel (which is being protected byit), which may not be possible in non-virtualized environments.Moreover, customers running guests in cloud (virtualized) environmentsmay like the cloud service providers to provide kernel rootkitprotection transparently.

In one method of kernel rootkit protection, a hardwarevirtualization-based Harvard architecture is used to protect commodityOS kernels from kernel rootkit attacks. This approach is based onpage-level redirection of instruction fetches, which departs from priorefforts that perform instruction-level redirection. Another technique inthe approach enables mode-sensitive redirection by redirecting onlykernel instruction fetches. However, this approach requires an agent ineach guest, adding to infrastructure overhead. The approach alsomodifies an executables and linkable format (ELF) loader (in Linux OS)to help with the rootkit protection; such modifications to the OS arecumbersome. Also, this approach uses translation lookaside buffer (TLB)cache manipulation to switch between code and data page tables, whichcan be hard to implement.

A system for kernel rootkit protection in a hypervisor environmentoutlined by FIG. 1 can resolve these issues, among others. Embodimentsof the present disclosure seek to vastly improve capabilities ofexisting technologies to allow for a more robust solution. In exampleembodiments, components of system 10 may create a soft whitelist, forexample, duplicate pages 38, of guest kernel pages 30 inside hypervisor12. Each entry in the soft whitelist (i.e., duplicate pages 38) is aduplicate page of the corresponding guest kernel page. Guest kernel codecan execute from duplicate pages 38 even if guest kernel pages 30 havebeen modified after guest OS 18 has booted. Similarly, no new code maybe allowed to execute because the corresponding page would not bepresent in the initial whitelist (i.e., duplicate pages 38). ANOT_PRESENT bit in shadow page table 32 may be used to intercept accessto hypervisor 12. PTEs 34 may be marked as writable or executable (afterinitially marking them as NOT_PRESENT) (for example, to ensure thatminimum page faults for better performance).

Duplicate pages 38 may be created after guest OS 18 has bootedcompletely and has loaded its kernel components (e.g., processscheduler, memory manager, file systems, etc.). As used herein, the term“boot” refers to a boot sequence, which is the initial set of operationsthat a computer performs when power is switched on. In an exampleembodiment, duplicate pages 38 may be created only at the boot time sothat any new page cannot be executed (as all executions are routed viaduplicate pages). Moreover, when a new kernel page is created, it ismarked as NOT_PRESENT by default. Thereafter, components of system 10can ensure that any changes in existing kernel pages (including additionof new pages or modification of existing pages subsequent to boot) arenot allowed to execute. In example implementations, system 10 canprotect against day-zero threats as it is based on white-listing. System10 may be implemented by public cloud infrastructure providers andcompanies employing private clouds. System 10 may provide a transparentlayer of security. The solution may be especially useful for customerswho do not change their base OS configuration frequently, but ratherchange the data stored on it (e.g., a web host service provider).

Turning to memory management in a hypervisor environment, the guest OS(e.g., guest OS 18) provides a virtual address space layout in guestvirtual memory (e.g., guest virtual memory 26) to applications (e.g.,application 20). The address space of the guest virtual memory may bedivided into user space, which is accessible to applications (e.g.,applications 20), and system space, which includes boot drivers, processpage tables, system cache, paged and non-paged pools, etc. Typically,the address locations of the system pages are hardcoded (or knownapriori). For example, a 4 GB of the guest virtual memory may beseparated into 3 GB of user space, with addresses ranging from0xBFFFFFFF to 0x00000000, and system space, with addresses ranging from0xFFFFFFFF to 0xC0000000.

The guest OS handles virtual to physical address mappings through pagetables. While virtual address space (e.g., guest virtual memory 26) isgenerally contiguous, the addresses may be mapped to non-contiguousblocks in the physical address space (e.g., guest physical memory 28).Virtual to physical mapping information is placed in a page table instructures called page table entries (PTEs). The format of the PTEs mayvary with the OS, for example, Linux OS may specify one format, andWindows XP OS may specify another format. In general, PTEs typicallycontain a bit to indicate whether the page referenced by the PTE ispresent (or valid). For example, when a process begins loading intomachine memory (e.g., machine memory 24), the guest OS assumes that thepages are loading into guest physical memory (e.g., guest physicalmemory 28), and generates corresponding page tables. The present bit forthe pages being loaded into machine memory are set to 0 (indicatingNOT_PRESENT) until all the pages are loaded into memory. Once all thepages are loaded, the present bit for the pages may be set to 1(indicating PRESENT) in the respective PTEs. During the loading, if anattempt is made (by the process) to access a page marked NOT_PRESENT, apage fault may be generated.

In example embodiments, any page table maintained by guest 14 may have acorresponding shadow page table (e.g., shadow page table 32), which isgenerated and maintained by hypervisor 12. Guest OS 18 does not haveaccess to shadow page table 32. At boot, guest OS 18 may load its kernelto memory (e.g., in the form of guest kernel pages 30) from thecomputer's hard disk. Rootkit protection module 36 may mark PTEs 34corresponding to guest kernel pages 30 as NOT_PRESENT in shadow pagetable 32. In one example, rootkit protection module 36 may determinethat a page is one of guest kernel pages 30 by reading a virtual addressof the page. If the virtual address lies within a particular range(e.g., predetermined range), the page may be one of guest kernel pages30, and corresponding PTE 34 may be marked as NOT_PRESENT.

When a page fault occurs, control transfers from the processor (e.g.,processor 22) executing the instruction that caused the page fault tothe hypervisor (e.g., hypervisor 12). The hypervisor's page faulthandler (e.g., page fault handler 40) can determine the instructionpointer and the faulting address, for example, to determine whether thepage fault is an instruction page fault or a data page fault. Forexample, if the instruction pointer (i.e., the pointer pointing to thememory address, which the processor will next attempt to execute) pointsto the faulting address, then the page fault is an instruction pagefault.

Turning to the infrastructure of FIG. 1, hypervisor 12 can run multipleinstances of guest OSs. Hypervisor 12 can be part of a server, afirewall, an antivirus solution, or more generically, a computer. In oneexample implementation, hypervisor 12 is a Xen element, which runs onbare hardware and which provides the capability of running multipleinstances of OSs simultaneously on the same hardware. A typical Xensetup may involve Xen running beneath multiple OSs, where applicationsare on top of the OSs, which are associated with a group of guests(e.g., guest 14). The entire configuration may be provided in a server(or some other network appliance). In an example embodiment, guest 14can be running an OS associated with DOM0 42. Note that the Xenimplementation is only representing one possible example to which thepresent disclosure can apply. Any number of additional hypervisors couldsimilarly benefit from the broad teachings discussed herein.

Control tools for managing hypervisor 12 can run on DOM0 42. DOM0 42 mayprovide a unified interface to manage guests (e.g., guest 14) onhypervisor 12. DOM0 42 may provide a means for an administrator toconfigure hypervisor 12, including managing storage, controlling aspectsof guest behavior, setting up virtual networks, configuring a hypervisorand one or more guests, and creating, deleting, shutting down, bootingup, etc. guests. For example, this kind of setup can be popular in datacenters where servers run Xen, which in turn hosts multiple instances ofguests. DOM0 42 may include modified Linux kernel, and can have specialrights to access physical I/O resources, as well as interact with theother virtual machines running on the system. Typically, DOM0 42 is thefirst domain launched when the system is booted, and it can be used tocreate and configure all other regular guests (e.g., guest 14). Thehypervisor environments can require DOM0 42 to be running before otherguests can be started.

Turning to FIG. 2, FIG. 2 is a simplified flow-chart illustratingexample operational steps that may be associated with embodiments of thepresent disclosure. Operations 100 may begin in 102, when DOM0 42 isactivated. In 104, a lockdown feature during domain creation may beenabled (associated with a VMEXIT transition from a guest context to ahypervisor context) by lockdown module 44. In 106, a lockdown featurebit in a domain specific data structure may be set in hypervisor 12. In108, a hypervisor virtual machine (HVM) (i.e., guest 14) may be started.In 110, guest OS 18 may create page table entries (PTEs) for guestkernel pages 30, with a VMEXIT to hypervisor 12. In 112, rootkitprotection module 36 may create PTEs 34 for guest kernel pages 30 inshadow page table 32. In 114, rootkit protection module 36 may mark PTEs34 as NOT_PRESENT in shadow page table 32 maintained by hypervisor 12.Consequently, any attempts to access guest kernel pages 30 whose PTEs 34have been marked can cause a page fault. In addition, this operation maybe provided along with a virtual machine instruction (VMRUN) associatedwith processor 22 in 116.

If rootkit protection has been enabled (e.g., guest OS 18 has booted upand loaded its kernel components), some of guest kernel pages 30 may nothave been used and as such there would not have been a page fault forthem. To capture such pages, in 118, page fault handler 40 may walkshadow page table 32 in hypervisor 12 and create a duplicate page foreach page of guest kernel pages 30 and keep a mapping of thecorresponding virtual address to the duplicate page's machine page framenumber (MFN). MFN refers to the page number allocated in machine memory24 for corresponding virtual addresses. In an example embodiment, theseactivities may be performed once after the boot has completed and,subsequently, system 10 may be considered locked. If rootkit protectionis not enabled (e.g., guest OS 18 has not booted up and loaded itskernel components), page fault handler 40 may create a duplicate pagefor each page in guest 14's kernel and keep a mapping of thecorresponding virtual base address (corresponding to the virtual addresswhere the first byte of the kernel pages will be stored) to theduplicate page's MFN.

In 120, a process in application 20 in guest OS 14 may attempt to accessguest kernel pages 30. Attempting to access guest kernel pages 30 cancause a page fault in 122 (as PTEs 34 corresponding to guest kernelpages 30 have been marked as NOT_PRESENT). When a page fault isencountered in 122, a determination is made in 124 if the page fault isan instruction page fault or a data page fault. If the page fault is adata page fault, page fault handler 40 may fix the page faultpermanently (e.g., allow future access/execution) by pointing to theoriginal physical page and marking the corresponding PTE as NX(no-execute) and writable in 126. Application 20 may be allowed toaccess shadow page table 32 in 128 and the process ends in 130. This canensure that attempts to access data do not cause page faults, but thatattempts to execute code do cause page faults such that control ispassed to hypervisor 12.

If the determination in 124 is that the page fault is an instructionfault, a determination may be made in 131 whether the correspondingduplicate page is present in duplicate pages 38. If the duplicate pageis present, page fault handler 40 may fix the page fault permanently bypointing the faulting virtual address to the MFN (in shadow page tables32) corresponding to duplicate pages 38 in 132, and mark the pageread-only so that any writes to the page can cause a fault. Thisoperation may cause the code that existed at the time of creation ofduplicate pages 38 to be executed. On the other hand, if thecorresponding duplicate page is not present in duplicate pages 38, pagefault handler 40 may block execution of the page in 133. Thus, new ormodified code may not be executed. Any modification to code may happenin guest kernel pages 30 and any execution of modified guest kernelpages 30 may be from hypervisor's duplicate pages 38. Shadow page table32 may be accessed by application 20 (but this time, duplicate pages 36may be read, instead of guest kernel pages 30) in 128, and the processmay end in 130.

Software for kernel rootkit protection (as well as inhibiting dangerouscode from being executed) can be provided at various locations (e.g.,within rootkit protection module 36). In one example implementation,this software is resident in a computer sought to be protected from asecurity attack (or protected from unwanted, or unauthorizedmanipulations of a writeable memory area). In a more detailedconfiguration, this software is specifically resident in a securitylayer of the hypervisor, which may include (or otherwise interface with)the components depicted by FIG. 1. In still other embodiments, softwarecould be received or downloaded from a web server (e.g., in the contextof purchasing individual end-user licenses for separate devices,separate virtual machines, guests, hypervisors, servers, etc.) in orderto provide this kernel rootkit protection.

In other examples, the kernel rootkit protection functions could involvea proprietary element (e.g., as part of an antivirus solution), whichcould be provided in (or be proximate to) these identified elements, orbe provided in any other device, server, network appliance, console,firewall, switch, information technology (IT) device, etc., or beprovided as a complementary solution (e.g., in conjunction with afirewall), or provisioned somewhere in the network. As used herein inthis Specification, the term ‘computer’ is meant to encompass thesepossible elements (VMMs, hypervisors, Xen devices, virtual devices,network appliances, routers, switches, gateway, processors, servers,loadbalancers, firewalls, or any other suitable device, component,element, or object) operable to affect or process electronic informationin a security environment. Moreover, this computer may include anysuitable hardware, software, components, modules, interfaces, or objectsthat facilitate the operations thereof. This may be inclusive ofappropriate algorithms and communication protocols that allow for theeffective protection against kernel rootkits. In addition, the kernelrootkit protection functions can be consolidated in any suitable manner.Along similar design alternatives, any of the illustrated modules andcomponents of the various FIGURES may be combined in various possibleconfigurations: all of which are clearly within the broad scope of thisSpecification.

Any of these elements (e.g., a computer, a server, a network appliance,a firewall, a hypervisor, any other type of virtual element, etc.) mayinclude a processor that can execute software or an algorithm to performthe kernel rootkit protection activities as discussed in thisSpecification. Additionally, each of these elements (e.g., a computer, aserver, a network appliance, a firewall, a hypervisor, any other type ofvirtual element, etc.) can include memory elements (random access memory(RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in anyother suitable component, device, element, or object where appropriateand based on particular needs. The information being tracked, sent,received, or stored in system 10 could be provided in any database,register, table, cache, queue, control list, or storage structure, basedon particular needs and implementations, all of which could bereferenced in any suitable timeframe.

These elements and/or modules can cooperate with each other in order toperform the activities in connection with kernel rootkit protection in ahypervisor environment as discussed herein. In other embodiments, thesefeatures may be provided external to these elements, included in otherdevices to achieve these intended functionalities, or consolidated inany appropriate manner. For example, some of the processors associatedwith the various elements may be removed, or otherwise consolidated suchthat a single processor and a single memory location are responsible forcertain activities. In a general sense, the arrangement depicted inFIGURES may be more logical in its representation, whereas a physicalarchitecture may include various permutations, combinations, and/orhybrids of these elements.

Any of the memory items discussed herein (e.g., guest kernel pages 30,shadow page table 32, machine memory 24, guest virtual memory 26, guestphysical memory 28, hash 38, etc.) should be construed as beingencompassed within the broad term ‘memory element.’ Similarly, any ofthe potential processing elements, modules, and machines described inthis Specification should be construed as being encompassed within thebroad term ‘processor.’ Each of the computers, network appliances,virtual elements, etc. can also include suitable interfaces forreceiving, transmitting, and/or otherwise communicating data orinformation in a hypervisor environment.

A processor can execute any type of instructions associated with thedata to achieve the operations detailed herein in this Specification. Inone example, the processor (as shown in the FIGURES) could transform anelement or an article (e.g., data) from one state or thing to anotherstate or thing. In another example, the activities outlined herein maybe implemented with fixed logic or programmable logic (e.g.,software/computer instructions executed by a processor) and the elementsidentified herein could be some type of a programmable processor,programmable digital logic (e.g., a field programmable gate array(FPGA), an erasable programmable read-only memory (EPROM), anelectrically erasable programmable ROM (EEPROM)) or an ASIC thatincludes digital logic, software, code, electronic instructions, or anysuitable combination thereof.

In certain example implementations, the kernel rootkit protectionfunctions outlined herein may be implemented by logic encoded in one ormore tangible, nontransitory media (e.g., embedded logic provided in anapplication specific integrated circuit (ASIC), digital signal processor(DSP) instructions, software (potentially inclusive of object code andsource code) to be executed by a processor, or other similar machine,etc.). In some of these instances, a memory element (as shown in theFIGURES) can store data used for the operations described herein. Thisincludes the memory element being able to store software, logic, code,or processor instructions that are executed to carry out the activitiesdescribed in this Specification. In various embodiments, some or all ofthese elements include software (or reciprocating software) that cancoordinate, manage, or otherwise cooperate in order to achieve theoperations as outlined herein. One or more of these elements may includeany suitable algorithms, hardware, software, components, modules,interfaces, or objects that facilitate the operations thereof.

Note that with the numerous examples provided herein, interaction may bedescribed in terms of two, three, four, or more network elements andmodules. However, this has been done for purposes of clarity and exampleonly. It should be appreciated that the system can be consolidated inany suitable manner. Along similar design alternatives, any of theillustrated modules, components, and elements of FIG. 1 may be combinedin various possible configurations, all of which are clearly within thebroad scope of this Specification. In certain cases, it may be easier todescribe one or more of the functionalities of a given set of flows byonly referencing a limited number of elements or components. It shouldbe appreciated that the system of FIG. 1 (and its teachings) is readilyscalable and can accommodate a large number of components, as well asmore complicated/sophisticated arrangements and configurations.Accordingly, the examples provided should not limit the scope or inhibitthe broad teachings of system 10 as potentially applied to a myriad ofother architectures.

It is also important to note that the operations described withreference to the preceding FIGURES illustrate only some of the possiblescenarios that may be executed by, or within, the system. Some of theseoperations may be deleted or removed where appropriate, or these stepsmay be modified or changed considerably without departing from the scopeof the discussed concepts. In addition, the timing of these operationsmay be altered considerably and still achieve the results taught in thisdisclosure. The preceding operational flows have been offered forpurposes of example and discussion. Substantial flexibility is providedby the system in that any suitable arrangements, chronologies,configurations, and timing mechanisms may be provided without departingfrom the teachings of the discussed concepts.

What is claimed is:
 1. A method, comprising: creating a soft whitelisthaving an entry corresponding to a guest kernel page of a guestoperating system (OS) in a hypervisor environment comprising ahypervisor, wherein the entry is a duplicate page of the guest kernelpage; marking a page table entry of the guest kernel page as not presentin a shadow page table of the hypervisor; generating a page fault when aprocess attempts to access the guest kernel page; determining whetherthe page fault is an instruction page fault; and in response to thedetermining whether the page fault is the instruction page fault:marking the page table entry corresponding to the guest kernel page asread-only, determining whether the duplicate page is present in the softwhitelist, and further in response to the determining whether theduplicate page is present in the soft whitelist, redirecting the processto the duplicate page corresponding to the guest kernel page.
 2. Themethod of claim 1, wherein the redirecting comprises changing a machinepage frame number in the shadow page table of the hypervisor to point tothe duplicate page corresponding to the guest kernel page.
 3. The methodof claim 1, further comprising: if the page fault is a data page fault:fixing the page fault; and marking the page table entry corresponding tothe guest kernel page as non-executable and writeable.
 4. The method ofclaim 3, wherein the fixing includes pointing to an original physicalpage.
 5. The method of claim 1, wherein the creating the soft whitelistis performed after the guest OS has loaded kernel components at boot,and the method further comprises: walking the shadow page table of thehypervisor; and mapping a virtual address of the guest kernel page to amachine page frame number of the corresponding duplicate page.
 6. Themethod of claim 1, wherein the guest OS has not loaded at least somekernel components, and the method further comprises: mapping a virtualbase address of the guest kernel page to a machine page frame number ofthe corresponding duplicate page.
 7. The method of claim 1, furthercomprising: mapping a virtual address of the guest kernel page to amachine page frame number of the corresponding duplicate page; anddetermining whether the corresponding duplicate page is present in thesoft whitelist, wherein the creating the soft whitelist is performedafter the guest OS has loaded kernel components at boot.
 8. Anapparatus, comprising: a memory; and a processor configured to create asoft whitelist having an entry corresponding to a guest kernel page of aguest OS in a hypervisor environment comprising a hypervisor, whereinthe entry is a duplicate page of the guest kernel page, to mark a pagetable entry of the guest kernel page as not present in a shadow pagetable of the hypervisor, to generate a page fault when a processattempts to access the guest kernel page, and to determine whether thepage fault is an instruction page fault, in response to a determinationwhether the page fault is the instruction page fault, the processor tomark the page table entry corresponding to the guest kernel page asread-only, to determine whether the duplicate page is present in thesoft whitelist, and, further in response to a determination whether theduplicate page is present in the soft whitelist, to redirect the processto the duplicate page corresponding to the guest kernel page.
 9. Theapparatus of claim 8, wherein the processor redirects the process bychanging a machine page frame number in the shadow page table of thehypervisor to point to the duplicate page corresponding to the guestkernel page.
 10. The apparatus of claim 8, wherein the processor isfurther configured to, if the page fault is a data page fault, fix thepage fault, and mark the page table entry corresponding to the guestkernel page as non-executable and writeable.
 11. The apparatus of claim10, wherein the processor fixes the page fault by pointing to anoriginal physical page.
 12. The apparatus of claim 8, wherein theprocessor is configured to map a virtual address of the guest kernelpage to a machine page frame number of the corresponding duplicate pageand to determine whether the corresponding duplicate page is present inthe soft whitelist, and the soft whitelist is created after the guest OShas loaded kernel components at boot.
 13. A non-transitory mediumencoded with logic that includes code for execution and comprising:instructions to create a soft whitelist having an entry corresponding toa guest kernel page of a guest OS in a hypervisor environment comprisinga hypervisor, wherein the entry is a duplicate page of the guest kernelpage; instructions to mark a page table entry of the guest kernel pageas not present in a shadow page table of the hypervisor; instructions togenerate a page fault when a process attempts to access the guest kernelpage; instructions to determine whether the page fault is an instructionpage fault; and instructions to, in response to a determination whetherthe page fault is the instruction page fault: mark the page table entrycorresponding to the guest kernel page as read-only, determine whetherthe duplicate page is present in the soft whitelist, and further inresponse to a determination whether the duplicate page is present in thesoft whitelist, redirect the process to the duplicate page correspondingto the guest kernel page.
 14. The non-transitory medium of claim 13,wherein the instructions to redirect comprise instructions to change amachine page frame number in the shadow page table of the hypervisor topoint to the duplicate page corresponding to the guest kernel page. 15.The non-transitory medium of claim 13, the code further comprising:instructions to, if the page fault is a data page fault, fix the pagefault, and mark the page table entry corresponding to the guest kernelpage as non-executable and writeable.
 16. The non-transitory medium ofclaim 15, wherein the page fault is fixed by pointing to an originalphysical page.
 17. The non-transitory medium of claim 15, wherein, uponthe determination that the duplicate page is present in the softwhitelist, marking the page table entry corresponding to the guestkernel page as read-only.
 18. The non-transitory medium of claim 15, thecode further comprising: instructions to block an execution of the guestkernel page, upon a determination that the duplicate page is not presentin the soft whitelist.
 19. The non-transitory medium of claim 13,wherein the soft whitelist is created after the guest OS has loaded aplurality of kernel components at boot, and the code further comprises:instructions to walk the shadow page table of the hypervisor; andinstructions to map a virtual address of the guest kernel page to amachine page frame number of the corresponding duplicate page.
 20. Thenon-transitory medium of claim 13, the code further comprising:instructions to map a virtual address of the guest kernel page to amachine page frame number of the corresponding duplicate page; andinstructions to determine whether the corresponding duplicate page ispresent in the soft whitelist, wherein the soft whitelist is createdafter the guest OS has loaded a plurality of kernel components at boot.